[PATCH v2 6/8] scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow

Takashi Iwai <tiwai@xxxxxxx> · Sun, 15 Mar 2020 10:42:39 +0100

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Also corrected the wrongly passed limit size.  The remaining buffer
size must be decremented.

Cc: "James E . J . Bottomley" <jejb@xxxxxxxxxxxxx>
Cc: "Martin K . Petersen" <martin.petersen@xxxxxxxxxx>
Cc: Kashyap Desai <kashyap.desai@xxxxxxxxxxxx>
Cc:  Sumit Saxena <sumit.saxena@xxxxxxxxxxxx>
Cc: Shivasharan S <shivasharan.srikanteshwara@xxxxxxxxxxxx>
Cc: linux-scsi@xxxxxxxxxxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
v1->v2: Align the remaining lines to the open parenthesis

 drivers/scsi/megaraid/megaraid_sas_base.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 5bebdd397580..babe85d7b537 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -2987,9 +2987,10 @@ megasas_dump_sys_regs(void __iomem *reg_set, char *buf)
 	u32 __iomem *reg = (u32 __iomem *)reg_set;
 
 	for (i = 0; i < sz / sizeof(u32); i++) {
-		bytes_wrote += snprintf(loc + bytes_wrote, PAGE_SIZE,
-					"%08x: %08x\n", (i * 4),
-					readl(&reg[i]));
+		bytes_wrote += scnprintf(loc + bytes_wrote,
+					 PAGE_SIZE - bytes_wrote,
+					 "%08x: %08x\n", (i * 4),
+					 readl(&reg[i]));
 	}
 	return bytes_wrote;
 }
-- 
2.16.4







